Apple iOS malware gets onto 75,000 iPhones, steals ad clicks

Filed Under: Apple, Featured, iOS, Malware

You don't see a lot of malware for iPhones or iPads.

One reason for that is Apple's strict control over what you're allowed to install on your own device.

So it's intriguing to see an iOS malware analysis in specialist threat research publication Virus Bulletin (VB).

The malware, which Sophos products detect as iPh/AdThief-A, was apparently created with the express purpose of conducting online ad fraud.

Who is at risk?

Fortunately, AdThief only affects jailbroken devices.

Jailbreaking is where you go out of your way to remove Apple's security controls (ironically, usually by exploiting a security vulnerability) in order to win the freedom to do what you like with your iPhone or iPad.

Interestingly, to write a proper anti-virus for iOS that could block malware preventatively, you'd need to intercept important system calls such as "visit this URL," "open that file" and "run this app".

But to do that, you'd need to jailbreak.

And by jailbreaking, you'd also open up the risk of malicious apps intercepting system calls for criminal purposes.

According to VB, that's exactly what AdThief does, waiting for you to click on someone else's ad with someone else's affiliate code, and then putting the crook's affiliate code in there instead.

Affiliate codes are those curious looking text strings you put into advertisement URLs on your own website, so that if someone clicks on them, you get a referral fee from the ad network.

If a crook can switch out your affiliate code for his own, he essentially steals revenue that should have been yours.

The money in mobile ads

With lots of mobile apps, especially games, supported by in-app ads, there's plenty of money to be made if your app becomes popular.

For example, Dong Ngyuen, author of the erstwhile smash-hit game Flappy Bird, is said to have been pulling in up to $50,000 per day before he abruptly pulled the game from both the Apple App Store and the Google Play Store.

Ngyuen's revenues, of course, were helped by the enormous reach and brand power of Apple and Google, with millions of genuine users downloading his game.

That turned it into a cult classic almost overnight, which in turn fuelled yet more downloads, and yet more ad revenue.

Is jailbreak malware even worth it?

There isn't much iOS malware around, and most of it is for jailbroken devices only.

So, is money-making crimeware for the iPhone or iPad even worth it for the crooks?

The only true virus ever seen in the wild for iOS was Ikee, which Rickrolled you rather than trying to make money illegally.

Even though the author admitted that he tried to kickstart his virus by deliberately infecting a bunch of devices, and even though it could spread automatically by infecting across the network, Ikee fizzled out very quickly.

There were very few infections reported and little harm done in the end.

But AdThief has allegedly already infected about 75,000 jailbroken devices.

Even if the malware is only able to squeeze one cent a day in ad revenue out of 10% of its victims, that nevertheless comes out at a very handy $30,000 per year.

It might not be Flappy Bird territory, but it's not an amount to be sneezed at, either.

What to do?

We'd offer you a free copy of Sophos Anti-Virus and Security for iOS if we could; sadly, Apple says, "No."

Instead, we recommend that:

  • If you are a user, avoid jailbreaking your iDevice.
  • If you are a sysadmin, avoid letting jailbroken phones onto your network.

By the way, if you have jailbroken your iDevice, please be understanding if your sysadmin then says, "No."

PS. If you're interested in keeping jailbroken iPhones or rooted Androids off your business network, why not take a look at Sophos Mobile Control? It gives you the flexibility to open up your network to non-company devices without ending up in a free-for-all.

, , , , ,

You might like

15 Responses to Apple iOS malware gets onto 75,000 iPhones, steals ad clicks

  1. I think this headline is misleading. It should say, Apple iOS malware gets onto 75,000 jail broken iPhones, steals ad clicks

    You give credit to Apple for trying to keep iOS secure, yet your headline makes it look like they have failed. If users are stupid enough to jailbreak their phones then they get what they get. Surely this is no different to running XP. You're now running an unsupported, no security OS. What do you expect?

    • Paul Ducklin · 416 days ago

      Let me see if I can wade through your logic here.

      "Anyone who jailbreaks their phone is an idiot and deserves to be a victim."

      With friends like that...who needs enemies, eh ;-)

      I thought the headline was pretty unjudgmental, myself, and I don't think it gives the impression that Apple is at fault in any way.

      And anyone who does click through to see the story immediately faces these fairly unequivocal words: "You don't see a lot of malware for iPhones or iPads. One reason for that is Apple's strict control over what you're allowed to install on your own device."

      That's very closely followed by: "Who is at risk? Fortunately, AdThief only affects jailbroken devices."

      • JR · 414 days ago

        I will have to say that the statement "Anyone who jailbreaks their phone is an idiot and deserves to be a victim" is overbearing. However, anyone who jailbreaks their phone is not wise and has opened themselves up to be a victim. The difference, in the end, however, is the same.

      • Jim · 414 days ago

        Technically, you are correct Paul. However, Michael is correct that the headline (not the article) is somewhat misleading. Sticking the word "jailbroken" would help prevent that misreading.

        The earliest paragraphs make the focus clear, but someone might just read the headline. In the days of paper newspapers, everybody knew to ignore the headline, as it was almost always misleading. But in the modern era, where we're not so limited by space limitations, people expect more accurate headlines.

        So, I'm leaning towards Michael on this.

        Interestingly, since much of the article is actually about jailbroken phones and how they cause issues, perhaps emphasizing the word "jailbroken" would be appropriate? Perhaps:

        "Apple iOS malware gets onto 75,000 (jailbroken) iPhones, steals ad clicks"

        NOTE: If the word jailbroken or the parens makes it go to 3 lines, then the change should not be made. Every line of text in a headline makes it less readable and more likely to be skipped.

        • Paul Ducklin · 414 days ago

          I hear you, but you are saying in your second paragraph that in the modern era headlines "aren't limited by space" yet in your sixth paragraph that I've got an excuse because if the headline had gone to more than two (short) lines due to the extra word, people might have skipped it for being too long.

          Seems that a few people feel conned because if they had known the malware was only for jailbroken phones they wouldn't have wasted the time it took to read to the first few sentences of the article. I don't know what to say to that.

      • Edmond Momartin · 414 days ago

        I agree w/ Michael, had you included "jailbroken" in the title, i wouldn't have bothered reading through your post. I don't believe people who jailbreak their phones are stupid, but take a risk for a reward which is important to them.

  2. Paul, I understand what you say, but at no point did I use the word idiot or deserve to be a victim. I said they were stupid and turning off security means they get what they get.

    As someone who has spoken to your product teams over and over again about making the Mac client better and spoken to Chet on the same subject, please don't think this an Apple user trying to say Mac and iOS are free of attack. I just think any chance to enforce the point that jailbreaking is putting you at risk should be taken.

    I have been a customer of Sophos since the Savi Mimesweeper days and has been our Mac Anti Virus product for over 10 years.

    I understand the article explains the issue, but the headline could re-enforce it.

  3. Canuck · 415 days ago

    So if we know what the malware is doing - inserting the affiliate codes of the thief - why can these not be tracked to the thief via the company's who they are an affiliate with?

  4. José Pérez · 415 days ago

    Without trying to be a peacemaker here, I must say that the title is descriptive of a fact, not a misleading and judgemental position of the author. No possibility of a misunderstanding, even though English is not my native language.

    Malware exists for every platform. Apple's tight security approach (someones would think about a control freak firm) is what makes more difficult to have malware to get into iOS: you can think about running every kind of applications as an administrator in a Windows OS or with root privileges in Linux (these cases are the equivalent for jailbreak in iOS or root acces in Android). In these situations, the app gets the most privileges to do at 'will'

    It has to be said that in the Android platform, you can check an option to verify applications behaviour, which means that everything you install is under observation (again, there you have the ones thinking about Big Brother) and you get a warning or even the app is not allowed to be installed.

    Conclussion: in matters of security, there have to be some trade off. And no, I don't mean to give up all freedom.

  5. Paul · 414 days ago

    This will be edited out so it is an exercise in futility. Paul Ducklin and Sophos are like second children in the pecking order. Apple does not need them, and they are jealous. They are incapable of seeing there own
    faults, because they are themselves with an agenda they don't even recognize that they have. When you are so impressed with yourselves, your own flatulence is appealing to yourself.

    • Paul Ducklin · 414 days ago

      Their's no answer to that.

      • Steve · 413 days ago

        Oh, yes, there is. But civilized people wouldn't say it in public.

        The Apple fanboy population is represented here today, obviously. But what they're saying is equivalent to expecting Naked Security to include in every headline a qualifier such as "Windows and Linux PCs with no malware protection vulnerable to malware!"


        • Paul Ducklin · 413 days ago

          Errr, I was having a bit of fun with the OP's use of "there" when he meant to write "their". So I made the mistake in reverse. I suspect it was a lot funnier before I clicked "Post Comment" ;-)

  6. JR · 414 days ago

    Can you explain the part about Apple not allowing you to create Sophos for iOS?

    • Paul Ducklin · 414 days ago

      You can't write code that hooks into the OS to provide an alternative/extra layer of security, such as a decent anti-virus would need to filter file system operations reliably before they happened.

      You could do it with Cydia Substrate (for example) but not with unjailbroken iOS.

      On OS X, FWIW, if you want a product that has (amongst other things) a kernel driver, it can't be delivered via the App Store - why our product isn't in the App Store - and since iOS is "App Store only," it would in any case be fruitless to include kernel code even if you could. But you can at least provide kernel drivers for OS X.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog